Tuesday, November 3, 2015

The Sagan Log Analysis Engine

What is Sagan?

Sagan is an open source (GNU/GPLv2) high performance, real-time log
analysis & correlation engine that run under *nix operating systems
(Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a
multi-threaded architecture to deliver high performance log & event
analysis. Sagan's structure and rules work similarly to the
Sourcefire/Cisco"Snort" IDS/IPS engine. This was intentionally done to
maintain compatibility with rule management software
(oinkmaster/pulledpork/etc) and allows Sagan to correlate log events
with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS
databases via Unified2/Barnyard2. Sagan is compatible with all Snort
"consoles". For example, Sagan is will work with Sguil ( http://sguil.sourceforge.net ), BASE, the Prelude IDS framework ( https://www.prelude-ids.org ) and proprietary consoles! (to name a few).
Sagan supports many different output formats, log normalization (via http://www.liblognorm.com), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support (flowbit), time sensitive alerting and much more.
The development of Sagan is sponsored by Quadrant Information Security Team.
Fore more details information, visit the Sagan Wiki.

[02/03/2014] Sagan version 1.0.0RC1 released! New rules also released!

[12/10/2013] Champ Clark, the primary author of Sagan, will be on PaulDotCom Security Weekly on 12/12/13! Listen live if you can, or download the archive of the show! [MP3 of the interview can be found here].